A phishing scam is hooking Yahoo users by stealing their
user names and passwords when they log into what looks like an area of the Yahoo site,
according to a security firm.

San Diego-based Websense said scammers send an e-mail or
instant message that claims to be from a contact wanting to show off photos
of a recent event. The message contains a link to a phishing site, which records the user's Yahoo ID and password, and then forwards the Yahoo
ID and password on to the real Yahoo Photos site.

The scam is being hosted in the United States on the free Web space provided
by the Yahoo Geocities service, according to Websense.

"It is hard to gauge, but we've had a number of reports," Dan Hubbard,
senior director of security at Websense, said. "But I wouldn't be alarmed at
this point."

The scammers are also harvesting the contacts from each victim's contact
lists, said Hubbard.

"We've seen people who have had an attacker take all contacts within the list and then forward the same message to each of those," he said.

Hubbard said it would be hard for users of Yahoo Photos to tell if they'd
been phished unless a contact informed them about the message supposedly
originating from them.

"The only sign we know is if some contacts received the same
message," Hubbard said.

"When we learn about phishing sites, we remove them as quickly as possible.
Yahoo treats users' security as a top priority and continues to take a hard
look at how to effectively combat phishing," Yahoo said in a statement.